Spring Security 4 Hello World Annotation+XML Example

This tutorial demonstrates Spring Security 4 usage to secure a Spring MVC web application, securing URL access with authentication. We will use classic Hello World example to learn Spring Security 4 basics. This post uses Spring Annotation based configuration for Servlet 3.0 containers [thus no web.xml] and also shows corresponding XML based Security configuration for side-by-side comparison where applicable.


Following technologies being used:

  • Spring 4.1.6.RELEASE
  • Spring Security 4.0.1.RELEASE
  • Maven 3
  • JDK 1.7
  • Tomcat 8.0.21
  • Eclipse JUNO Service Release 2

Let’s begin.

Step 1: Project directory structure

Following will be the final project structure:

SpringSecurityHelloWorldAnnotationExample_img0

Let’s now add the content mentioned in above structure explaining each in detail.

Step 2: Update pom.xml to include required dependencies

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

	<groupId>com.websystique.springsecurity</groupId>
	<artifactId>SpringSecurityHelloWorldAnnotationExample</artifactId>
	<version>1.0.0</version>
	<packaging>war</packaging>

	<name>SpringSecurityHelloWorldAnnotationExample</name>

	<properties>
		<springframework.version>4.1.6.RELEASE</springframework.version>
		<springsecurity.version>4.0.1.RELEASE</springsecurity.version>
	</properties>

	<dependencies>
		<!-- Spring -->
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-core</artifactId>
			<version>${springframework.version}</version>
		</dependency>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-web</artifactId>
			<version>${springframework.version}</version>
		</dependency>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${springframework.version}</version>
		</dependency>

		<!-- Spring Security -->
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${springsecurity.version}</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${springsecurity.version}</version>
		</dependency>

		<dependency>
			<groupId>javax.servlet</groupId>
			<artifactId>javax.servlet-api</artifactId>
			<version>3.1.0</version>
		</dependency>
		<dependency>
			<groupId>javax.servlet.jsp</groupId>
			<artifactId>javax.servlet.jsp-api</artifactId>
			<version>2.3.1</version>
		</dependency>
		<dependency>
			<groupId>javax.servlet</groupId>
			<artifactId>jstl</artifactId>
			<version>1.2</version>
		</dependency>
	</dependencies>

	<build>
		<pluginManagement>
			<plugins>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-compiler-plugin</artifactId>
					<version>3.2</version>
					<configuration>
						<source>1.7</source>
						<target>1.7</target>
					</configuration>
				</plugin>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-war-plugin</artifactId>
					<version>2.4</version>
					<configuration>
						<warSourceDirectory>src/main/webapp</warSourceDirectory>
						<warName>SpringSecurityHelloWorldAnnotationExample</warName>
						<failOnMissingWebXml>false</failOnMissingWebXml>
					</configuration>
				</plugin>
			</plugins>
		</pluginManagement>
		<finalName>SpringSecurityHelloWorldAnnotationExample</finalName>
	</build>
</project>

First thing to notice here is the maven-war-plugin declaration. As we are using full annotation configuration, we don’t even use web.xml, so we will need to configure this plugin in order to avoid maven failure to build war package. We are using latest versions(at time of writing) of Spring and Spring Security.

Along with that, we have also included JSP/Servlet/Jstl dependencies which we will be needing as we are going to use servlet api’s and jstl view in our code. In general, containers might already contains these libraries, so we can set the scope as ‘provided’ for them in pom.xml.

Step 3: Add Spring Security Configuration Class

The first and foremost step to add spring security in our application is to create Spring Security Java Configuration. This configuration creates a Servlet Filter known as the springSecurityFilterChain which is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, etc) within our application.

com.websystique.springsecurity.configuration.SecurityConfiguration

package com.websystique.springsecurity.configuration;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

	@Autowired
	public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication().withUser("bill").password("abc123").roles("USER");
		auth.inMemoryAuthentication().withUser("admin").password("root123").roles("ADMIN");
		auth.inMemoryAuthentication().withUser("dba").password("root123").roles("ADMIN","DBA");//dba have two roles.
	}
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
 
	  http.authorizeRequests()
	  	.antMatchers("/", "/home").permitAll() 
		.antMatchers("/admin/**").access("hasRole('ADMIN')")
		.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
		.and().formLogin()
		.and().exceptionHandling().accessDeniedPage("/Access_Denied");
 
	}
}

Method configureGlobalSecurity in above class configures AuthenticationManagerBuilder with user credentials and allowed roles. This AuthenticationManagerBuilder creates AuthenticationManager which is responsible for processing any authentication request. Notice that in above example, we have used in-memory authentication while you are free to choose from JDBC, LDAP and other authentications.

The overridden Method Configure configures HttpSecurity which allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher)/antMathchers or other similar methods.

In above configuration, we say that URL’s ‘/’ & ‘/home’ are not secured, anyone can access them. URL ‘/admin/**’ can only be accessed by someone who have ADMIN role. URL ‘/db/**’ can only be accessed by someone who have both ADMIN and DBA roles.

Method formLogin provides support for form based authentication and will generate a default form asking for user credentials. You are allowed to configure your own login form.We will see examples for the same in subsequent posts.

We have also used exceptionHandling().accessDeniedPage() which in this case will catch all 403 [http access denied] exceptions and display our user defined page instead of showing default HTTP 403 page [ which is not so helpful anyway].

Above security configuration in XML configuration format would be:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
     
    <http auto-config="true" >
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/home" access="permitAll" />
        <intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
        <intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
        <form-login  authentication-failure-url="/Access_Denied" />
    </http>
 
    <authentication-manager >
        <authentication-provider>
            <user-service>
                <user name="bill"  password="abc123"  authorities="ROLE_USER" />
                <user name="admin" password="root123" authorities="ROLE_ADMIN" />
                <user name="dba"   password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
     
    
</beans:beans>

Step 4: Register the springSecurityFilter with war

Below specified initializer class registers the springSecurityFilter [created in Step 3] with application war.

com.websystique.springsecurity.configuration.SecurityWebApplicationInitializer

package com.websystique.springsecurity.configuration;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

}

Above setup in XML configuration format would be:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Step 5: Add Controller

com.websystique.springsecurity.controller.HelloWorldController

package com.websystique.springsecurity.controller;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class HelloWorldController {

	
	@RequestMapping(value = { "/", "/home" }, method = RequestMethod.GET)
	public String homePage(ModelMap model) {
		model.addAttribute("greeting", "Hi, Welcome to mysite. ");
		return "welcome";
	}

	@RequestMapping(value = "/admin", method = RequestMethod.GET)
	public String adminPage(ModelMap model) {
		model.addAttribute("user", getPrincipal());
		return "admin";
	}

	@RequestMapping(value = "/db", method = RequestMethod.GET)
	public String dbaPage(ModelMap model) {
		model.addAttribute("user", getPrincipal());
		return "dba";
	}

	@RequestMapping(value="/logout", method = RequestMethod.GET)
	   public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
	      Authentication auth = SecurityContextHolder.getContext().getAuthentication();
	      if (auth != null){    
	         new SecurityContextLogoutHandler().logout(request, response, auth);
	      }
	      return "welcome";
	   }

	@RequestMapping(value = "/Access_Denied", method = RequestMethod.GET)
	public String accessDeniedPage(ModelMap model) {
		model.addAttribute("user", getPrincipal());
		return "accessDenied";
	}
	
	private String getPrincipal(){
		String userName = null;
		Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

		if (principal instanceof UserDetails) {
			userName = ((UserDetails)principal).getUsername();
		} else {
			userName = principal.toString();
		}
		return userName;
	}
}

Methods in controller class are trivial. Method getPrincipal is a generic function which returns the logged in user name from Spring SecurityContext. Method logoutPage handles the logging out with a simple call to SecurityContextLogoutHandler().logout(request, response, auth);. It’s handy and saves you from putting cryptic logout logic in your JSP’s which is not really manageable. You might have noticed that ‘/login’ is missing, it is because it will be generated and handled by default by Spring Security.

Step 6: Add SpringMVC Configuration Class

com.websystique.springsecurity.configuration.HelloWorldConfiguration

package com.websystique.springsecurity.configuration;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.ViewResolver;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;

@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.websystique.springsecurity")
public class HelloWorldConfiguration {
	
	@Bean
	public ViewResolver viewResolver() {
		InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
		viewResolver.setViewClass(JstlView.class);
		viewResolver.setPrefix("/WEB-INF/views/");
		viewResolver.setSuffix(".jsp");

		return viewResolver;
	}

}

Step 7: Add Initializer class

com.websystique.springsecurity.configuration.HelloWorldConfiguration

package com.websystique.springsecurity.configuration;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class SpringMvcInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

	@Override
	protected Class<?>[] getRootConfigClasses() {
		return new Class[] { HelloWorldConfiguration.class };
	}
 
	@Override
	protected Class<?>[] getServletConfigClasses() {
		return null;
	}
 
	@Override
	protected String[] getServletMappings() {
		return new String[] { "/" };
	}

}

Notice that above initializer class extends AbstractAnnotationConfigDispatcherServletInitializer which is the base class for all WebApplicationInitializer implementations. Implementations of WebApplicationInitializer configures ServletContext programatically, for Servlet 3.0 environments. It means we won’t be using web.xml and we will deploy the app on Servlet 3.0 container.

Step 8: Add Views

welcome.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>HelloWorld page</title>
</head>
<body>
	Greeting : ${greeting}
	This is a welcome page.
</body>
</html>

admin.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>HelloWorld Admin page</title>
</head>
<body>
	Dear <strong>${user}</strong>, Welcome to Admin Page.
	<a href="<c:url value="/logout" />">Logout</a>
</body>
</html>

dba.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>DBA page</title>
</head>
<body>
	Dear <strong>${user}</strong>, Welcome to DBA Page.
	<a href="<c:url value="/logout" />">Logout</a>
</body>
</html>

accessDenied.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>AccessDenied page</title>
</head>
<body>
	Dear <strong>${user}</strong>, You are not authorized to access this page
	<a href="<c:url value="/logout" />">Logout</a>
</body>
</html>

Step 9: Build and Deploy the application

As mentioned in Step 7, we are not using web.xml in our application as the ServletContext is loaded programmatically.

Now build the war (either by eclipse/m2eclipse) or via maven command line( mvn clean install). Deploy the war to a Servlet 3.0 container . Since here i am using Tomcat, i will simply put this war file into tomcat webapps folder and click on start.bat inside tomcat bin directory.

Run the application
Open browser and goto localhost:8080/SpringSecurityHelloWorldAnnotationExample/

SpringSecurityHelloWorldAnnotationExample_img1

Now try to access admin page on localhost:8080/SpringSecurityHelloWorldAnnotationExample/admin, you will be prompted for login.

SpringSecurityHelloWorldAnnotationExample_img2

Provide credentials of a ‘USER’ role.

SpringSecurityHelloWorldAnnotationExample_img3

Submit, you will see AccessDenied Page

SpringSecurityHelloWorldAnnotationExample_img4

Now logout and try to access admin page again

SpringSecurityHelloWorldAnnotationExample_img5

Provide wrong password

SpringSecurityHelloWorldAnnotationExample_img6

Provide proper admin role credentials and login

SpringSecurityHelloWorldAnnotationExample_img7

Now try to access db page on localhost:8080/SpringSecurityHelloWorldAnnotationExample/db, you will get AccessDenied page.

SpringSecurityHelloWorldAnnotationExample_img8

Logout, you will be back at home page.

SpringSecurityHelloWorldAnnotationExample_img9

That’s it for the basic introduction. Next post shows you how we can use our own custom login form iso spring’s auto-generated login form.

Download Source Code


References

If you like tutorials on this site, why not take a step further and connect me on Facebook , Google Plus & Twitter as well? I would love to hear your thoughts on these articles, it will help me improve further our learning process.

If you appreciate the effort I have put in this learning site, help me improve the visibility of this site towards global audience by sharing and linking this site from within and beyond your network. You & your friends can always link my site from your site on www.websystique.com, and share the learning.

After all, we are here to learn together, aren’t we?

  • Muhammad Arslan Anjum

    In my case I modified following to make it working. Just sharing my experience
    @Override
    protected Class[] getRootConfigClasses() {
    return new Class[] { HelloWorldConfiguration.class, SecurityConfiguration.class };
    }

  • Pingback: Spring Security 4 Logout Example - WebSystique()

  • Pingback: Spring Security 4 Secure View Fragments using taglibs - WebSystique()

  • Ngu Nguyen Quang
  • Denis Putnam

    forgive my ignorance here, but is there a way I can add this application to my app server within my IDE?

    • websystique

      Hi Denis, Ofcourse. You just need to prepare your environment and import this maven project. You may want to look at Setup Tomcat with Eclipse for any setup related issues.

  • Pingback: Spring 4 Hello World Example - WebSystique()

  • Pingback: Spring Security 4 Hibernate Role Based Login Example - WebSystique()

  • Pingback: Spring Security 4 Hibernate Integration Annotation+XML Example - WebSystique()

  • lordlewo

    Hi, very great tutorial, thanks a lot, it helped me a lot too !!

    ps: there is a misspelling in the “Step 3: Add Spring Security Configuration Class” section, exactly below in the “Above security configuration in XML configuration format would be:” paragraph.
    In this .xml configuration file :
    - the “” row must be
    “”
    - so not pattern=”/dba**” , only pattern=”/db**” , without ‘a’

    only just saying :) , once again thx badly

  • Pingback: Spring MVC 4 + Spring Security 4 + Hibernate Example - WebSystique()

  • Brian Berrelez

    When I browse out to the login path that you have specified in the tutorial

    http://localhost:8080/SpringSecurityCustomLoginFormAnnotationExample/login

    It tries to connect to a jsp page.

    HTTP Status 404 – /SpringSecurityCustomLoginFormAnnotationExample/WEB-INF/views/login.jsp
    type Status report
    message /SpringSecurityCustomLoginFormAnnotationExample/WEB-INF/views/login.jsp
    description The requested resource is not available.

    What did I do wrong?

    • Brian Berrelez

      Never mind. I had the incorrect code in my SecurityConfiguration.java class. It rejects incorrect user name and password, but on successful entries it redirects back to the main page.

  • Jaikrat Singh Tariyal

    And please add in

  • Jaikrat Singh Tariyal

    Make sure you change code “hasRole(‘ADMIN’)” to hasRole(‘ROLE_ADMIN’) or “hasRole(‘ADMIN’) and hasRole(‘DBA’)” to “hasRole(‘ROLE_ADMIN’) and hasRole(‘ROLE_DBA’)” :)

  • Stephen Battey

    Great tutorial. This has really helped me get started with the security layer in Spring.

    I spotted an important typo in the XML configuration, which I’ve posted on the Hibernate tutorial but applies here too.
    The paths to “admin” and “dba” don’t have a forward slash (which they do in the configuration-in-code version).

    This was subtle because the value “/admin**”:
    - does protect calls to “/admin”
    - but doesn’t protect calls to “/admin/users”

    So I think the intercept-url config should be:

  • rahul

    Good tutorial.
    I think you return null in getServletConfigClasses() method inside SpringMvcInitializer class which cause exception. you need to return this
    return new Class[] { HelloWorldConfiguration.class };

  • roginator

    I found in the permission checks I need to prepend ‘ROLE_’ as in, I specify the role without ‘ROLE_’ but when setting up the http.authorizeRequests() I need to add the ROLE_ in front of the role string, see below.

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser(“bill”).password(“abc123″).roles(“USER”);
    auth.inMemoryAuthentication().withUser(“admin”).password(“root123″).roles(“ADMIN”);
    auth.inMemoryAuthentication().withUser(“dba”).password(“root123″).roles(“ADMIN”,”DBA”);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
    .antMatchers(“/”, “/home”).permitAll()
    .antMatchers(“/admin/**”).access(“hasRole(‘ROLE_ADMIN’)”)
    .antMatchers(“/db/**”).access(“hasRole(‘ROLE_ADMIN’) and hasRole(‘ROLE_DBA’)”)
    .and().formLogin()
    .and().exceptionHandling().accessDeniedPage(“/Access_Denied”);
    }

    • websystique

      Hi Roginator, Which version of Spring Security are you using? With the version [4.0] used in this blog, it is optional.

      • roginator

        Great question, I was on the latest version of Spring but a 3.x version of Spring Security. Upping it to 4.0.4 (current latest) resolved that discrepancy. Great tutorial. All the meat, none of the carbs :)

        Is there a way to dynamically update the permissions in HttpSecurity.

        I’m working on a portal that will have different organizations using the service and was thinking of using ‘roles’ specific to a company to scope ability to access various URLs.

        For example myapp/company1 and my app/company2. I could assign roles specific to company1 to access that URL and roles specific to company2 to control access to that URL. If a new company signed up I’d want to add the new roles and update the security scoping.

        the controller is easy to write with a
        @RequestMapping(value=”/myapp/{companyname}) approach.

        Or if you think there’s a better way to leverage Spring security to do this I’d be interested in hearing the approach.

  • JuanMarcos

    Hi websystique, im trying to integrate this example with the one for “Spring 4 MVC+Hibernate 4+MySQL+Maven integration example using annotations” (from you)

    Im getting an error, “org.hibernate.HibernateException: No Session found for current thread”
    i guess i must inject the session to the service implements hibernate, may you help me with any idea?
    i’m a newby, thanks for all of this amazing posts

    • websystique

      Hi Juan,

      Probably, your service calls are not under a transaction. Look at this post to understand how we are annotating service class with @Transactional, and then calling dao methods from in here. Any doubt, let me know.

  • Marcus Carneiro

    Great tutorial!
    What can I do to permit access to the url http://localhost:8080/myapp without the final slash. It always send me to login page. If I write .antMatchers(“/”, “”).permitAll() it gives an error telling me that it can’t be empty.
    Everything works great if I access http://localhost:8080/myapp/

  • Pingback: Spring Security + OAuth2 – { Desarrollo JAVA }()

  • Stepan Cleverjava

    Hey Websystique,
    Although the tutorial is very nice as always, I’ve got a problem with the
    realization. I downloaded your code, but when trying to login with any proper
    name and password, I’m redirected to the welcome page. Do you have any idea
    what could cause the problem?

    • websystique

      Hi Stepan,

      For role based login(where you will be redirect to the page based on logged-in user roles), have a look at Spring Security 4 Hibernate Role Based Login Example. You will get more control over redirection after login. Let me know if i misunderstood your question.

  • guo peng

    Hi,

    Is there a tutorial for spring boot?

    • websystique

      Hi , Not yet but probably something in near future….

  • Jed Dayo

    Hi,

    Nice tutorial by the way. The application deploys and runs well in tomcat , however in Oracle Weblogic 12.1.3 it does not, suddenly the /login returns a 404.

    Have you tried to deploy this to weblogic?

    Thanks.

    • websystique

      Hi Jed,
      I don’t have Weblogic setup on my side.I have tested it on tomcat. Did you try to put debug on and check the actual issue on your weblogic server?

  • Mujahed Khan

    Dear author, Thanks for your tutorial..
    i have one question how we can define security filter in WebAppInitializer.java which implements WebApplicationInitializer

    • websystique

      Hi Mujahed,

      I would advise you to please look at Spring’s AbstractSecurityWebApplicationInitializer class.This class implements webAppliationInitializer and sets-up springSecurityFilter .

  • Erwin

    Great tutorial to get started with the basics, thanks.

  • Egor

    Your tutorials are awesome! Thank you.

    • websystique

      Glad you found them useful. I recently started posting articles on Facebook, Twitter and Google plus.You may find them interesting too.

      Thanks for visiting.

  • Pingback: Spring Security 4 Custom Login Form Annotation+XML Example - WebSystique()